我正在尝试从数据库中过滤结果。我有一个类过滤器,如下所示
<?php
class Filter{
protected $_dbHandle, $_dbInstance;
function search_car()
{
$this->_dbInstance = Database::getInstance();
$this->_dbHandle = $this->_dbInstance->getdbConnection();
$by_type = $_POST['by_type'];
$by_make = $_POST['by_make'];
$by_price = $_POST['by_price'];
$by_year_of_registration = $_POST['by_year_of_registration'];
$sql_query = "SELECT * FROM sta402_cars WHERE";
if ($by_type != "") {
$sql_query .= " type='$by_type'";
}
if ($by_make != "") {
$sql_query .= " make='$by_make'";
}
if ($by_price != "") {
$sql_query .= " price='$by_price'";
}
if ($by_year_of_registration != "") {
$sql_query .= " year_of_registration='$by_year_of_registration'";
}
$statement = $this->_dbHandle->prepare($sql_query); // prepare a PDO statement
$statement->execute(); // execute the PDO statement
return $statement;
}
}`
对这门课的调用在这里:
<?php if(isset($_POST['submit1'])) {
$filter = new Filter;
$retrieved_result = $filter->search_car($_POST);
$row = $retrieved_result->fetch();
$carData1 = new CarData($row);
foreach ($carData1 as $carData) {
echo '<tr> <td>' . $carData->getType() . '</td> <td>' . $carData->getMake() . '</td> <td>' . $carData->getModel() . '</td>
<td>' . $carData->getColour() . '</td> <td>' . $carData->getPrice() . '</td> <td>' . $carData->getYearOfRegistration() . '</td>
<td>' . $carData->getPicture() . '</td><td></tr>';
}
}
?>
我试图将回声放在过滤器类中,但没有任何变化。输出是..没有。结果应为空的位置保持空白,但所有其他内容都在页面上。我现在应该怎么做?我该怎么办?
您在这里有多个问题,首先是生成的查询可能是错误的。请考虑以下$_POST数据:
$_POST = [
'by_type' => 'minivan',
'by_year_of_registration' => '2011'
]
生成的 SQL 将如下所示:
SELECT * FROM sta402_cars WHERE type='minivan' year_of_registration='2011'
您在此处缺少AND条件。
您可以通过var_dump() ing $sql_query 来解决这个问题,并且还需要检查$statement->execute()的返回值(它应该返回false)。
您可以通过将WHERE子句放在数组中来解决此问题,然后implode(' AND ', $where)
此外,您在这里还有一个SQL注入漏洞,想象一下这样的$_POST:
$_POST = [
'by_type' => ''' OR is_hidden=1'
]
现在你的 SQL 是:
SELECT * FROM sta402_cars WHERE type='' OR is_hidden=1
显然,这个例子可能是无害的,但它也可能破坏SQL。解决方案是 a) 过滤输入,b) 正确使用准备好的查询,这将转义值:
$sql_query = "SELECT * FROM sta402_cars WHERE ";
$where = array();
$values = array();
if ($by_type != "") {
$where[] = "type = :type";
$values[':type'] = $by_type;
}
if ($by_make != "") {
$where[] = "make = :make";
$values[':make'] = $by_make;
}
if ($by_price != "") {
$where[] = "price = :price";
$values[':price'] = $by_price;
}
if ($by_year_of_registration != "") {
$where[] = "year_of_registration = :year";
$values[':year'] = $by_year_of_registration;
}
$sql_query .= implode(' AND ', $where);
$statement = $this->_dbHandle->prepare($sql_query); // prepare the query
$result = $statement->execute($values); // Pass in the values
if (!$result || $statement->rowCount() == 0) {
// query failed (invalid query, or no results)
} else {
// we have results
}
(您也可以将这些过滤器选项名称放在一个数组中,并在它们上面检查 $_POST,并以这种方式构造$where和$values,而不是像这样线性)